China is the new global heartland of automotive innovation – but connected vehicles must comply with Western security regulations 

Chinese automakers are leading the charge towards a future dominated by connected vehicles. There’s never been a better time to export these vehicles to Western markets – provided manufacturers can adjust their security practices to account for new regulatory environments.

The next heartland of automotive innovation  

For many years, China’s formidable industrial output and robust manufacturing infrastructure has earned the country the label of “the world’s factory.”  

While this account is still largely correct, China is now far more than a low-cost manufacturing base: it’s also home to a huge amount of innovation in the automotive sector.

In fact, according to a 2021 study from tech advisory ABI Research, approximately 50 per cent of vehicles produced by Chinese manufacturers in that year featured some degree of connectivity. This meant that, by the end of the year, the total number of connected cars in China came to around 40 million. 

This ethos of innovation is being matched with new levels of export-related ambition. According to a recent Bloomberg report, China accounted for almost 60 per cent of global exports of electric vehicles in 2021, indicating a worldwide appetite for China’s contribution to the latest in automotive design. 

However, Chinese brands looking to export their cutting-edge vehicles to Western markets will need to account for the security challenges that connected cars will face in the context of a vastly different regulatory environment. 

The regulatory challenges of international expansion  

Domestically, Chinese automotive manufacturers benefit from a regulatory environment that can only be described as permissive – in stark contrast to their Western counterparts.  

This is true of various manufacturing industries, but the urgent need for compliance is especially significant in the context of connected vehicles, which Western and global regulators will expect to demonstrate both physical and cryptographical forms of safety. 

Chinese manufacturers will, for example, undoubtedly want to export to the 54 countries covered by the United Nations Economic Commission for Europe’s WP.29 regulation (specifically articles R155 and R156).  These include parts of the EU and OECD, alongside other important markets like Japan, South Korea, Russia, Australia, and South Africa.  

WP.29 requires automakers to implement a variety of cybersecurity measures, from the broader identification and management of cybersecurity risks in vehicle design to the analysis of successful and attempted cyberattacks. 

The regulation also requires a comprehensive approach to safe software updates. This includes providing thorough protections to software update delivery mechanisms; verification that software on a given component acts as it should; and a host of related assurances. 

Not only are these demands intensive, but they’re also too vast to ‘bolt on’ after a connected vehicle has been built. Instead, compliance needs to be threaded into the manufacturing process, ensuring that cybersecurity is baked, as it were, into the crust of each connected automobile.   

Without demonstrating that cybersecurity is built into the heart of the vehicle at launch and that it can be updated through the vehicle’s life cycle, it will become increasingly difficult to gain type approval. This poses plenty of challenges for established domestic players – let alone new market entrants. 

Reassuring connected service providers

Extensive though these regulations are, the challenge for Chinese exporters doesn’t end there.  

Equal attention must be paid to the security requirements of the various online services that connected vehicles connect with. 

Customers will expect, for example, for a connected car to integrate with Amazon’s Alexa. While this may seem like a fairly innocuous expectation for a connected vehicle, Amazon itself will have its own security criteria that Chinese manufacturers will need to address. 

After all, poorly integrated Alexa experiences threaten Amazon’s AWS backend, and such organisations expect stringent and diligent security in recognition of this kind of threat. Besides, voice control in today’s connected cars can do far more than turn the radio on: it’s deeply integrated into an array of features, including air conditioning, seat positions, windows, and so on. 

Amazon is only one example among many connected services that will have their own security standards. Without factoring in the Digital Rights Management (DRM) requirements of a Netflix or Hulu, even a connected car which satisfies the regulators may be unable to offer services that appeal to customers.  

Data obligations for next-gen business models

Of course, all of the services under discussion involve data which needs to be protected. 

This kind of next-generation technology is, in fact, frequently accompanied by next-generation business models and customer requirements to match. 

Shared ownership, for example, is now commonplace among vehicle owners. For connected vehicles, this means that lots of users are likely to interact with the same vehicle, each with their own preferences, expectations, and – crucially – data. 

Taken together, the security demands for connected vehicles – whether from regulators, third-party service providers, or individuals’ expectations for their data – are exhaustive in their scope. For Chinese connected car manufacturers, this means engaging with an array of cryptographic algorithms, key management, GDPR policies, and myriad other security practices that aren’t always necessary for domestic vehicles. 

How Trustonic can help

Trustonic’s Trusted Execution Environment (TEE) can provide a robust security foundation for addressing the security challenges faced by Chinese automotive exporters entering into an unfamiliar regulatory environment. 

Named Kinibi, our TEE supports a wide range of advanced cyber security protections, cryptographic algorithms and the ability to run trusted applications.   

Support is also provided for advanced requirements such as Level 1 DRM schemes required by streaming services – ensuring that in-vehicle entertainment is permissible and compliant in any vehicle equipped with our state-of-the-art security technology. 

Our compliant TEE is equally capable of providing many of the now-standard requirements for voice assistants like Amazon’s Alexa. Kinibi ensures that features like hardware-backed roots of trust and secure boot are present in its connected vehicle. 

More broadly (but no less significantly) our TEE can secure the Android Automotive platform: a mainstream means of delivering in-vehicle infotainment. Kinibi offers cryptographic key storage, user authentication, and file-based encryption. 

By incorporating our TEE at the design stage, Chinese automotive manufacturers will be in a position to export highly desirable vehicles to Western markets. Just as importantly, our TEE will allow them to confidently place security and trustworthiness at the forefront of their brand.  

Incumbent automotive brands, by contrast, have yet to market themselves on the basis of their security credentials in a sector marked by increasing connectivity. Backed by our TEE, Chinese automakers now have an excellent opportunity to fill this gap and position themselves as a safe pair of hands. 

For more information on how Trustonic’s solution can make Chinese vehicles compliant and exportable, learn more about our automotive cybersecurity solutions.